{
	"id": "b8e2929c-753f-421a-bb50-ef869d0bf813",
	"created_at": "2026-04-06T00:12:12.836051Z",
	"updated_at": "2026-04-10T03:21:28.80117Z",
	"deleted_at": null,
	"sha1_hash": "2287efda22658ec561d2e23226ecd4c58cc695a8",
	"title": "The Re-Emergence of Emotet | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 658741,
	"plain_text": "The Re-Emergence of Emotet | Deep Instinct\r\nBy Ron Ben YizhakSecurity Researcher\r\nPublished: 2021-11-30 · Archived: 2026-04-05 16:08:52 UTC\r\nEmotet, the malware botnet, has resurfaced after almost 10 months. The operation was originally taken down by\r\nmultiple international law enforcement agencies this past January. These agencies took control of the\r\ninfrastructure and scheduled an un-installation of the malware on April 25.\r\nSo what does the re-emergence of Emotet mean, and how can cyber professionals prepare for new threats? This\r\nblog will analyze the new DLL, break down a new unpacking technique and new features, and review similarities\r\nin the new variant with the previous version.\r\nWe will also explore a novel tool called “DeMotet” that automates the analysis of Emotet samples on a large scale\r\nand includes an unpacker for the latest loader and decryption scripts for the payload. It is used to detect any\r\nmodification in the malware, and it is now publicly available.\r\nStatic Analysis\r\nFor this analysis, the following sample will be used:\r\n76816ba1a506eba7151bce38b3e6d673362355063c8fd92444b6bec5ad106c21\r\nAs shown in our previous blog posts, the execution flow of Emotet consists of multiple stages that are unpacked in\r\nsuccession. As expected, this is still the case with the new variant. The DLL that is written to disk isn’t the actual\r\npayload that communicates with the C2 servers. This can be seen by a review of the static information of the\r\nresources.\r\nThe entropy of the bitmap resource is high, and it most likely contains encrypted information. To unpack the next\r\nstage, the decryption routine needs to be found.\r\nThis resource will be accessed before decryption starts. A breakpoint can be set on the “FindResourceA” function\r\nto reach this point.\r\nExtracting the Next Stage\r\nThe malware reaches the breakpoint and then returns to the address 0x10005701.\r\nhttps://www.deepinstinct.com/blog/the-re-emergence-of-emotet\r\nPage 1 of 5\n\nThe parameters for “FindResourceA” match the suspicious resource. This API is called through a register because\r\nit isn’t imported. The address is located in runtime to hinder static analysis. The function then allocates memory\r\nbased on the size of the resource and goes through some decryption loops.\r\nThe return value is the next stage. The size of the file is specified in the code, which makes the extraction from\r\nmemory even easier.\r\nhttps://www.deepinstinct.com/blog/the-re-emergence-of-emotet\r\nPage 2 of 5\n\nComparing Variants\r\nIn the past, there was a middle stage between the loader and the payload. Based on our previous analysis of the\r\nEmotet payload, the file extracted is the payload itself and not a middle stage.\r\n1. The PE file has no imported API functions.\r\n2. There are barely any strings present.\r\n3. The malware utilizes the same code obfuscation techniques.\r\n                                                                                    On the left: the new payload. On the right: a payload from\r\nJanuary 2021\r\nThe payload conceals its capabilities by hiding information that is used for static analysis. The names of the API\r\nfunctions are stored in the code after they were hashed. Their address is located in run-time instead of using the\r\nImport Address Table. The strings are encrypted inside the file.\r\nThe code is obfuscated using Control Flow Flattening, which works as follows:\r\n1. A number is assigned to each basic block.\r\n2. The obfuscator introduces a block number variable, indicating which block should execute.\r\n3. Each block, instead of transferring control to a successor with a branch instruction, as usual, updates the\r\nblock number variable to its chosen successor.\r\n4. The ordinary control flow is replaced with a switch statement over the block number variable, wrapped\r\ninside of a loop.\r\nNew imported functions from bcrypt.dll were added to the payload. The strings that represent constants for those\r\nfunctions were also added, such as “ECDH_P256” and “Microsoft Primitive Provider.” This is probably due to\r\nEmotet changing its communication protocol from HTTP to HTTPS.\r\nThe name hashing and strings decryption algorithms were kept. This means that “DeMotet” is still able to discover\r\nthis information.\r\nIntroducing “DeMotet”\r\nDeep Instinct has been closely following Emotet for some time. “DeMotet” was developed to automate the\r\nhttps://www.deepinstinct.com/blog/the-re-emergence-of-emotet\r\nPage 3 of 5\n\nresearch performed on the malware. The tool is a static unpacker for the latest variant of the Emotet loader. It can\r\nextract the encrypted payload from the resource without executing the malware. Python scripts are also included\r\nin this tool. They reveal the hidden strings and API calls the payload uses. The first one is a standalone script that\r\ncan be used to extract this information from a large number of payloads. The second one is an IDA plugin. It adds\r\nthis information as comments in the code.\r\n\"DeMotet” can be used to track new variants of the malware. New samples of Emotet can be downloaded and\r\nunpacked regularly. Once the unpacking process of the malware is modified, the tool will fail.\r\nThis is an indication of a new variant. The variant will then be manually analyzed to update the tool so the\r\nautomation can be restored. Finding new strings and imported functions in the payload is also indicative of a new\r\nfeature.\r\nThe tool is available in this GitHub repository.\r\nSummary\r\nThe notorious botnet Emotet is back, and we can expect that new tricks and evasion techniques will be\r\nimplemented in the malware as the operation progresses, perhaps even returning to being a significant global\r\nthreat. However, by using the techniques and tools presented in this article, the analysis of the malware can be\r\nsimplified and automated.\r\nDeep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world’s first\r\nand only purpose built, deep learning cybersecurity framework. We predict and prevent known, unknown, and\r\nzero-day threats in \u003c20 milliseconds, 750X faster than the fastest ransomware can encrypt.\r\nhttps://www.deepinstinct.com/blog/the-re-emergence-of-emotet\r\nPage 4 of 5\n\nIf you’d like to learn more about our malware, ransomware, and zero-day prevention capabilities – including our\r\nindustry best $3M no-ransomware guarantee – we’d be delighted to give you a demo.\r\nIOC\r\nLoaders SHA256\r\n3b3b65d42e44bcc0df291ddab72f1351784f7e66357a4ec75ee5c982ef556149\r\n6b477d63b3504c6eab3c35057b99d467039995783f5f14714ae6af4f83b9dcb3\r\n442ff2de8a19c3f6cf793f9209ffd21da18aa7eb5b4c4c280222eb9f10a2c68a\r\n9ac36258c63a5edfd29e3ed1882c61487ef2c70637192108cc84eb4ea27f7502\r\n00ceb55abdb43042c6f7fabd327e6e1a6cdefed723dea6c4e90d159b9466518c\r\nSource: https://www.deepinstinct.com/blog/the-re-emergence-of-emotet\r\nhttps://www.deepinstinct.com/blog/the-re-emergence-of-emotet\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.deepinstinct.com/blog/the-re-emergence-of-emotet"
	],
	"report_names": [
		"the-re-emergence-of-emotet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434332,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2287efda22658ec561d2e23226ecd4c58cc695a8.pdf",
		"text": "https://archive.orkl.eu/2287efda22658ec561d2e23226ecd4c58cc695a8.txt",
		"img": "https://archive.orkl.eu/2287efda22658ec561d2e23226ecd4c58cc695a8.jpg"
	}
}